Edit This Favorite

GDPR Best Practice In Brief

Individuals located outside the European Union (EU) may wonder what the purpose or rationale is for the General Data Protection Regulation (GDPR).

In the United States real estate records, stock investments, professional licenses (for example: medical doctor, nursing, attorney, accounting, pilot, etc.), personal licenses (for example: hunting, fishing, private pilot, etc.), even voter registrations are all public data. Conversely, EU citizens and others residing in Europe maintain that their personal data is just that, personal. What is considered “personal data?” Any information related to a natural person or “Data Subject”, that can be used directly or indirectly to identify the person (Gdpreu.org, 2018). Examples of personal data may include: name, mailing address, email address, posts on social networking websites, patient health information, photos, IP addresses, or other identifiers specific to the physical, physiological genetic, mental, economic, cultural or social identity of that natural person (Gdpreu.org, 2018). Europeans believe that the privacy of their personal data is a basic human right, similar to a United States citizen’s right of “expressing oneself, free worship or even the freedom to pursue ‘life, liberty and the pursuit of happiness.’”

According to the EU GDPR Portal, the EU Parliament approved the GDPR on April 14, 2016, after four years of deliberation and preparation. The Regulation replaces Data Protection Directive 95/46/EC and seeks to protect and empower all EU citizens, as well as individuals who may reside in the EU. It does this through restructuring the way organizations approach data privacy and by coalescing laws across Europe. GDPR differs from the Data Protection Directive 95/46/EC because it is a binding legislative act, which must be applied in its entirety. The Data Protection Directive 95/46/EC was only a legislative act; it sought to establish a goal that all EU countries were to achieve. Individual countries can decide how they will comply with GDPR; the regulation also applies to entities that are located outside of Europe (EU GDPR Portal, 2018).

If an organization provides goods or services to, or monitors the behaviorof EU data subjects, it is accountable for complying with GDPR. GDPR applies to every nonprofit processing or holding the personal data about anyone in Europe, regardless of whether they are a citizen or permanent resident of an EU country. Further, organizations with whom the nonprofit partners may include GDPR requirements in their contracts (EU GDPR Portal, 2018).

Why should nonprofits care about GDPR? EU GDPR Portal notes that there will be penalties enacted for organizations that breach GDPR compliance. These penalties range from 4 percent of annual global turnover (“turnover” is a synonym for “revenues”), up to €20 million. There will be a tiered approach to fines (for example: a company can be fined 2% for not having their records in order {article 28}, not notifying the supervising authority and data subject about a breach or not conducting an impact assessment. The maximum penalty of €20 million may be imposed for the most serious infringements (for example: not having sufficient constituent consent to process data or violating the Privacy by Design concepts) (EU GDPR Portal, 2018).

A “controller” is the entity that determines the purposes, conditions and means of processing the personal data (Ico.org.uk, 2018). An example of a controller is the nonprofit that houses constituent information in a fundraising database. A “processor” is the entity, which processes personal data on behalf of the entity (Ico.org.uk, 2018). An example of a processor could be a third-party vendor to the nonprofit that provides a service such as, but not limited to marketing, wealth screening, or data appending. One important note is that rules are applied to both controllers and processors of data, meaning that “cloud” will not be exempt from GDPR enforcement (EU GDPR Portal, 2018).

GDPR officially went into effect on May 25, 2018. While the message of GDPR has been slow to trickle “across the pond,” some nonprofits in the United States have begun the process of implementing a GDPR compliance program.

The AASP GDPR Best Practice seeks to aid nonprofits grappling with the intricacies and complexities of the Regulation. It does so by providing a readiness assessment and case studies from nonprofit organizations in Europe that have created successful GDPR compliance programs.